meta directory backend and rewriting option '|'
Hello! I have a question concerning the pipe option '|' when using the meta directory backend and rewriting. In the manual pages the '|' option is marked as not implemented. Does this reflect the actual state of the software or has somebody just forgotten to update the man page? Regards, Hartmut
openldap memberof attribute
Hi, I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP has a feature called remoterole to search attribute 'memberof' from LDAP server and once found the attribute, assign the remote user a role defined in various groups like admin, operator... the feature works for Active Directory, but I am unable to make it work for OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so I created the 'memberof' attribute in core.schema as below: [root@centos-vli schema]# diff -u core.schema core.schema.orig --- core.schema 2011-01-24 23:54:42.0 -0800 +++ core.schema.orig2011-01-24 23:46:11.0 -0800 @@ -345,10 +345,6 @@ DESC 'X.520(4th): pseudonym for the object' SUP name ) -attributetype ( 2.5.4.66 NAME 'memberof' -DESC 'RFC2256: member of a group' -SUP distinguishedName ) - # Standard object classes from RFC2256 # system schema @@ -425,7 +421,7 @@ objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL - MUST ( member $ memberof $ cn ) + MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectclass ( 2.5.6.10 NAME 'residentialPerson' and here is my sample ldif file: dn: ou=groups,dc=example,dc=com objectclass:organizationalunit ou: groups description: generic groups branch # create the itpeople entry under groups dn: cn=administrator,ou=groups,dc=example,dc=com objectclass: groupofnames cn: administrator description: bigip admin group member: uid=user5,ou=people,dc=example,dc=com dn: uid=user5,ou=People,dc=example,dc=com uid: user5 cn: user5 objectClass: top objectClass: posixaccount objectClass: shadowaccount objectClass: groupOfNames userPassword: secret shadowLastChange: 14997 shadowMin: 0 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 505 gidNumber: 505 homeDirectory: /home/user5 member: cn=administrator,ou=groups,dc=example,dc=com memberof: cn=administrator,ou=groups,dc=example,dc=com I can login BIGIP fine with user5, but I can't get the administrator role defined in BIGIP, is it something I configured wrong in OpenLDAP or the problem is on BIGIP Thanks Vincent
deleting schema elements from cn=config
Hi, I'm trying to understand how to delete a schema element. I'm running slapd 2.4.23 on FreeBSD 8.1. When I try to run ldapdelete: ldapdelete -H ldap://localhost -D uid=tjg,cn=config -W -x 'cn={7}java,cn=schema,cn=config' I get the following in the log file: -- daemon: read activity on 18 daemon: select: listen=6 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=1068 connection_read(18): checking for input on id=1068 op tag 0x4a, time 1296090324 conn=1068 op=1 do_delete dnPrettyNormal: cn={7}java,cn=schema,cn=config daemon: activity on 1 descriptor dnPrettyNormal: cn={7}java,cn=schema,cn=config, cn={7}java,cn=schema,cn=config conn=1068 op=1 DEL dn=cn={7}java,cn=schema,cn=config send_ldap_result: conn=1068 op=1 p=3 send_ldap_result: err=53 matched= text= send_ldap_response: msgid=2 tag=107 err=53 daemon: waked daemon: select: listen=6 active_threads=0 tvp=zero conn=1068 op=1 RESULT tag=107 err=53 text= daemon: activity on 1 descriptor daemon: activity on: 18r -- cn={7}java,cn=schema,cn=config is empty; I've already deleted all the objectClass and attribute definitions from it, but now it seems I can't delete the schema entry itself. What am I doing wrong? Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354
Re: openldap memberof attribute
Vincent Li wrote: I couldn't find 'memberof' attribute in OpenLDAP schema, so I created the 'memberof' attribute in core.schema as below: The overlay memberof is what you're looking for. man 5 slapo-memberof Ciao, Michael.
MemberOf attribute not being returned
Hi, I'm sure this was working in the past on this server but Im now not getting anything returned when I request the memberOf attribute. I compiled OpenLDAP 2.4.23 with the following flags: ./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb --enable-monitor --enable-syncprov --enable-translucent --enable-memberof --enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd make depend make make test make install I'm using slapd.d and I have the following in /usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb olcOverlay={0}dynlist.ldif olcOverlay={1}memberof.ldif olcOverlay={2}syncprov.ldif The contents of olcOverlay\=\{1\}memberof.ldif are: dn: olcOverlay={1}memberof objectClass: olcOverlayConfig objectClass: olcMemberOf olcMemberOfDangling: ignore olcMemberOfRefInt: FALSE olcMemberOfGroupOC: posixGroup olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf structuralObjectClass: olcMemberOf entryUUID: 4d5a3aa8-fbac-45c9-b259-941d13e02724 creatorsName: cn=config createTimestamp: 20100318151149Z entryCSN: 20100318151149.488341Z#00#003#00 modifiersName: cn=config modifyTimestamp: 20100318151149Z olcOverlay: {1}memberof The log is attached. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. openldap.log Description: Binary data Any ideas? The only thing I've changed recently is the ACLs Kind regards, Mark /* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cair...@ed.ac.uk */
RE: MemberOf attribute not being returned
Nevermind, I think I know what's happening. My user account was updated on our current live server running OpenLDAP 2.3 which doesn't have the MemberOf overlay. When this change was applied using syncrepl the memberOf field must have been removed. I'll take the old server out of the syncrepl but in the meantime is there any way to ensure this field is preserved when provisioning accounts in LDAP? Kind regards, Mark /* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cair...@ed.ac.uk */ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: MemberOf attribute not being returned
Mark Cairney wrote: Hi, I'm sure this was working in the past on this server but Im now not getting anything returned when I request the memberOf attribute. I compiled OpenLDAP 2.4.23 with the following flags: ./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb --enable-monitor --enable-syncprov --enable-translucent --enable-memberof --enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd make depend make make test make install I'm using slapd.d and I have the following in /usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb olcOverlay={0}dynlist.ldif olcOverlay={1}memberof.ldif olcOverlay={2}syncprov.ldif The contents of olcOverlay\=\{1\}memberof.ldif are: You should not be poking or peeking at the files inside slapd.d. You should be using slapcat -n0 or ldapsearch -b cn=config to show the contents of the config database. As with other slapd databases, its structure and format are subject to change without notice at any time. The only thing guaranteed to remain compatible is the LDAP interfaces to the database. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: MemberOf attribute not being returned
Warning duly noted. Lessing the files in question seemed like the best way of providing a concise description of what configuration I had and where in the config it lay. As it stands I answered my question anyway. Kind regards, Mark On 27 Jan 2011, at 12:16, Howard Chu wrote: Mark Cairney wrote: Hi, I'm sure this was working in the past on this server but Im now not getting anything returned when I request the memberOf attribute. I compiled OpenLDAP 2.4.23 with the following flags: ./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb --enable-monitor --enable-syncprov --enable-translucent --enable-memberof --enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd make depend make make test make install I'm using slapd.d and I have the following in /usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb olcOverlay={0}dynlist.ldif olcOverlay={1}memberof.ldif olcOverlay={2}syncprov.ldif The contents of olcOverlay\=\{1\}memberof.ldif are: You should not be poking or peeking at the files inside slapd.d. You should be using slapcat -n0 or ldapsearch -b cn=config to show the contents of the config database. As with other slapd databases, its structure and format are subject to change without notice at any time. The only thing guaranteed to remain compatible is the LDAP interfaces to the database. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ /* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cair...@ed.ac.uk */ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
slapo-cache and searches by dynlist (with !)
Hello, I'm trying to use pcache overlay to cache queries done by dynlist overlay. This is the configuration I have: database hdb suffix userSuffix ... overylay dynlist dynlist-attrset labeledURIObject labeledURI # This is because, data obtained by dynlist is in another ldap directory database ldap suffix dc=mydomain,dc=com access ... uri ldap:/anotherldap ... overlay pcache pcache hdb 1000 1 10 60 pcacheAttrset 0 irisClassifCode sn1 givenName pcacheMaxQueries1 pcacheTemplate ((objectClass=)(irisPersonalUniqueId=)) 0 3600 directory /var/lib/ldap/cachepublica cachesize 100 The pcacheTemplate is because labeledURI attributes are in the form: labeledURI: ldap:///dc=mydomain,dc=com?irisClassifCode,sn1,givenName?one? (irisPersonalUniqueID=someCode) The final search done in the final ldap directory is: filter=((!(objectClass=labeledURIObject))(irisPersonalUniqueID=someCode)) so I think I need to negate the search in the pcacheTemplate, but I can't because I get the error: /etc/ldap/slapd.conf: line 419: unable to parse template: AttributeDescription contains inappropriate characters. whenever I try to put the '!' in the template. Is there any way to cache this kind of query? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337